Wp Sec Quocirca Digital Identities

7/28/2019 Wp Sec Quocirca Digital Identities

1/37

Digital identities and the open business


2/37

Identity and access management as a driver for business growth

C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GRCSXTGE\Bob CA IAM 2.jpg

February 2013

Identity and access management (IAM) systems are today used by the majority ofEuropean enterprises. Many of these are still installed on-premise but increasingly theyare being supplemented by the use of on-demand IAM services (IAMaaS). The overalluptake represents a big increase from when Quocirca last surveyed the market in20091.

Whilst IAM is important for managing the access rights of increasingly mobileemployees, three other major drivers have encouraged businesses to invest despite thetight economic conditions: the opening up of more and more applications to externalusers, the growing use of cloud based services and the rise of social media. Theultimateaim with all three is to nurture new business processes, thereby finding and exploitingnew opportunities.

This report presents new research into the use and benefits of IAM and the relationshipit has with these three drivers. The research is based on over three hundred interviewswith senior IT managers in medium sized to large organisations in a range of businesssectors across Europe. The report should be of interest to anyone wanting to betterserve all types of users, whilst still keeping control over applications and dat


3/37

a.

Bob Tarzey

Quocirca Ltd

Tel : +44 7900 275517

Email: [email protected]

Rob Bamforth

Quocirca Ltd

Tel: +44 7802 175796

Email: [email protected]


4/37

Digital identities and the open business

Identity and access management as a driver for business growth

Effective identity and access management (IAM) is seen as an essential tool forenabling open interaction between a businessand its users, be they consumers, employees or users that are employees of otherbusinesses, such as partners or customers.

Many businesses now havemore external users thaninternal ones

The majority of businesses now open up at least some of their applications to external users,with 58% saying they transact directly with users from other businesses and/or consumers.The scale of the business processes they are running that require this will often mean thenumber of external users exceeds internal ones. This has led to a rise in the uptake of IAMsystems with advanced capabilities to handle multiple types of users.

Advanced IAM also helpsorganisations embracecloud services and socialmedia

97% of organisations that are enthusiastic about cloud-based services have deployed IAM ingeneral and 65% are using IAM-as-a-service (IAMaaS); only 26% of cloud avoidersuse anyform of IAM. The single-sign-on (SSO) capability of such services acts as a brok

er and acentral place to enforce usage policy between users and both on-premise and on-demandapplications. Many businesses also recognise the value of social media, with thetopmotivation being to identify and communicate with potential customers.

Deployment of IAM hasincreased markedly in thelast three years

When Quocirca last researched the IAM market in 20091, 25% had some form of IAMin

place, with 52% saying it was planned although, for many, those plans were delayed.However, regardless of the ensuing tight economic conditions, 70% have now deployed IAM.For 27% this is a totally on-premise system, however, 22% have already chosen touse a pureon-demand system, whilst 21% have a hybrid deployment.

The number of sources ofidentity is extending well


5/37

beyond in-house directories

Active Directory is the most widely used primary source of identity for employees (68% ofrespondents). For users from customer and partner organisations the most commonsourcesof identity are their own directories (1112%). Secondary sources include the membershiplists of professional bodies, for example legal and medical practitioners (78%) andgovernment databases (23%). 12% use social media as a primary source of identityforconsumers, 9% say it is secondary. These fairly low use rates of alternative sources suggestan untapped business opportunity, perhaps because currently deployed IAM tools do notfacilitate it.

IAM eases a number ofmanagement challenges

The top IT management challenge eased by IAM is the enforcement and management o

faccess policy. However, it is also about improving the user experience by providing easyfederated access to multiple applications and enabling user self-service. Whilstthere aremany benefits for businesses to be gained from effective IAM it seems likely that ITdepartments are under-selling these benefits.

The benefits of IAMaaS, inparticular, are widelyrecognised

The potential of IAMaaS is widely recognised even by those with pure on-premiseIAMdeployments. Lower management and ownership costs along with improved employeeproductivity top the list, with ease of integrating external users not far behind. Those whomake extensive use of cloud-based services are especially likely to recognise the benefits ofIAM in general and select IAMaaS in particular.

Conclusions

Having an identity and access management system in place is now seen as an imperative by many businesses to achieving a widerange of IT and business goals. Those organisations that lack effective IAM arelikely to lag behind their competitors in many areas


6/37

as more and more business-to-business (B2B) and business-to-consumer (B2C) transactions move online, cloud services becomethe mainstream source of IT applications and services for many businesses and social media takes centre stage as a source ofidentity.


7/37

Introduction identity as the new perimeter

Identity and access management (IAM) is all about abusiness authenticating and understanding its users.This includes its employees, but also the growingnumber of external users that a given business allows toaccess its applications (Figure 1), both those installedon-premise and those that are subscribed to as on-demand services. Identity and access management(IAM) systems are increasingly being seen as the bridgebetween users and applications; either of which can beinside or outside of the firewall that has traditionallybeen the boundary of a given organisations IT systems.This has led to the concept of the identity perimeter2.

Some organisations say they no longer even have office-based employees, with all employees being consideredas mobile (just 8% said they had only office-basedusers). However, the biggest change is the degree to

which consumers and the employees of customerorganisations are being given access; 58% of thebusinesses surveyed have now opened up applicationsto users from customer organisations, consumers orboth (the figure of 58% is derived by adding togetherthe numbers for those who interact with consumers andthose that interact with users of customer organisationsand subtracting from the total those who say theyinteract with both). The main motivator is to transactdirectly with these external users online (Figure 2).

IAM is also about making sure all users have convenientaccess to the resources they require, whilst maintainingappropriate levels of security and privacy and ensuringcompliance requirements can be met. It is not about thecreation and storage of identities per se. As this reportwill go on to show, effective IAM enables the federateduse of a wide range of existing sources of identity. It alsoprovides the balance between opening applications upto mobile and external users whilst making sure thoseapplications, and the data to which they provide access,is appropriately protected.

The degree of transaction with external users varies bysector. With growth in use of online banking, financialservices organisations are the most likely to beinteracting with consumers, with 54% already doing so,along with government organisations, 49% of which arealready transacting online with citizens. Telcos (asservice providers) lead when it comes to directinteraction with users in business customerorganisations with 48% doing so already, with


8/37

manufacturers coming in second at 42% with their


9/37

complex supply chains. The profile of interaction islikely to change over time as the benefit of directinteraction is increasingly recognised and more andmore products and services are sold directly.

Beyond the opening up of applications to externalusers, there are two other major drivers for IAM.

First, there is the increasing acceptance and take upof cloud services (Figure 3). The researchunambiguously shows that those organisations thatare making wide use of cloud services have alsoinvested in IAM (see later section on IAMaaS). Themain reasons for this are that IAM eases the wayaccess to cloud-based services is granted and revokedand once a user has logged on once they can be givenimmediate access to multiple cloud services.

Second is the rising use of social media (Figure 4), which can help businesses to better understand customerpreferences and improve the overall customer experience. Many think there is huge business potential here;however, the number one reason for working with social media highlighted by thisresearch is being able to identifyand communicate with potential customers. Advanced IAM systems enable this by allowing users to make use oftheir own existing identities, which in turn enables easier interaction and should lead to faster business growth.

Businesses need to recognise that the return on investment in IAM is not just improved security but an open endedbusiness opportunity knowing your users through their digital identities and then being able to maximise theirpotential is the cornerstone for controlling interaction between a given business and the outside world.

You and your digital identity, the rise of social media

The age of bring-your-own-identity (BYOID)

For one group in particular consumers socialmedia is emerging as a key source of identity(Figure 5). Real world examples of this includeorganisations that have internet-centric businessmodels, for example music download sites suchas Spotify and charity giving sites such asJustGiving, that allow users to login using theirFacebook identities; this makes it far easier for


10/37

users to sign up and for donors to part with theirmoney.

However, usage looks set to expand into moreconservative areas; for example, the UKgovernment is also evaluating Facebook as part ofthe Identity Assurance (IDA) programme3, a wayof better enabling secure transactions betweenpublic sector bodies and citizens. Is it evenpossible in the future that Facebook or Google identities could be the basis foraccess to online banking? This wouldnot be such a huge step, according to a recent report from Virgin Media4, two thirds of UK banks have alreadyspeeded up customer service through use of Twitter.


11/37

This has led to the emergence of the concept BYOID(bring-your-own-identity), something that may wellextend beyond consumers all the way to employees inthe fullness of time. Before too long employees may taketheir identities with them from one job to the next in asimilar way that many already do with their smartphonesand other access devices (BYOD bring-your-own-device another industry trend that has already taken hold5).

Many may consider that an identity taken from a socialmedia site cannot be trusted. However, there are anincreasing number of services that can be used tocalculate the trust of such identities and set thresholdsfor when they are accepted. Such sites calculate that, if auser has been using the same Facebook identity for fiveyears and has accumulated a long back history ofcommunications, it is unlikely to be a fake. In fact,because of the controls many social media organisationsplace around creating accounts, using them to create fake

identities is more difficult than doing so through aregistration process that involves a new unique accountbeing created specific to a given service.

However, if social media sites are to be used as a sourceof identity, businesses need to be savvy about how theygo about it. Marketing departments cannot expect toconvert users of third party social media sites directlyacross to their own applications; neither can they expectusers to login multiple times or fill out several forms withthe same information. To truly embrace social media

requires it to be fully integrated with IAM systems andused as a means of single-sign-on (SSO) to multipleresources. Any company not using this effectively may belosing sales.

The increasing use of IAM

Patterns of use for IAM

The three trends outlined earlier the opening up of applications, the rising use

of cloud and growing importance ofsocial media added to an increasingly complex mix of identity sources, are all drivers behind the growing use ofIAM. Figure 6 shows that there seems to have been considerable investment in IAMsince Quocirca last publishedresearch in this area in 20091 (which was focussed on privileged user management). 70% of organisations now havesome sort of a system in place compared with around 25% just four years ago. Interestingly, around 50% said theyhad plans for IAM investment in 2009; plans which seem to have come to fruition


12/37

despite the ensuing tighteconomic conditions. In a later section; The IAM empowered business, the report looks at the reasons IAMsystems are seen as important for achieving a range of IT objectives.

The use of on-demand IAM-as-a-service (IAMaaS) is on the rise; 22% say this is their primary way of implementingIAM with a further 21% saying they have a hybrid on-premise/on-demand deployment.


13/37

This leaves 30% of companies with no IAM system at all, with smaller companies being the least likely (Figure 7).They will find it hard to open up access to applications in the way that that their competitors have. In the past smallbusinesses may have considered that such systems were only affordable by large enterprises, however with theincreasing availability of IAMaaS, where payment is by use, cost should no longer be a blocker.

Authenticating users

The data shown in Figure 8 examines the attitude the respondents had to variousaspects of authenticating users. Itis widely accepted that clearly establishing identities is essential. Overall, 84%of all respondents say the need todo so is true for their organisation.

When it comes to checking identities,77% are likely to use strongauthentication (this is especially true oftelcos and financial services). However,only a small number of respondents saythey use hardware token providers (as aprimary source of identity), probablybecause of the cost. The main reason thatbusinesses will have turned to hardwaretoken providers as a source of identity inthe first place is because they are also asource of strong authentication. Giventhe importance attached to strong

authentication, many are probablyseeking lower cost software-basedalternatives that make use of spatialand/or temporal co-ordinates or makinguse of mobile phones (unsurprisingly,telcos take a lead here too).

70% say they no longer rely entirely onusernames and passwords to authenticate users (again, this is especially true oftelcos). IP addresses are used forauthentication by 82%; if used alone this would be a concern because IP addresse

s can be spoofed by hackers whowant to make their attacks appear to come from legitimate locations. However, itis unlikely that IP addresses arebeing used as a primary means of identity; they are probably just an additionalattribute that may be used as part ofa strong authentication process.

As many as 54% say they sometimes transact without first establishing the identi


14/37

ty of users. This was especially trueof telcos (83%) and financial services (77%). There may be good reasons for this, for example when asking for aquote for insurance or mobile phone service plan many do not want to give all their details before seeing the cost.However, it is likely that, in other cases, collecting such information is simply seen as too arduous, which it need notbe if the supporting IAM tools were in place. In many cases the customer experience could be improved.


15/37

Multiple sources of identity

Obviously, all organisations have some existing source ofidentity for their own employees. For 68% of therespondents to the current survey the main one isMicrosoft Active Directory (Figure 9). When it comes to thebroader community of users, Active Directory is less widelyused. For mobile users and contractors it is still likely to bethe main source, but less so.

Whilst Active Directory is widely used, it, and most otherdirectories, has not been designed to scale up for theemerging use cases where some organisations are nowengaging with tens or hundreds of thousands of users fromother businesses maybe millions of consumers.

There are other challenges that are tricky to resolve with apolicy that relies on a single organisational user directory.Many IT departments have to cope with mergers and

acquisitions at some point; this may mean merging twodifferent directories. With federated IAM, both can bemaintained, at least in the short term, with both being useas identity sources. Many cloud-based applications alsohave their own directory of users, which can be integratedas part of single overall user identity in a federated IAMsystem and access provided via SSO.

A growing minority of organisations are already exploitingother sources, either as a primary or secondary means ofidentifying and authenticating external users (Figures 10

and 11). These include:

. The external directories of partner and customerorganisations are the most widely used primary sourceof identity for users from customer and partnerorganisations.. Professional body membership listings, for examplelegal and medical practitioners, are most commonlyused as a secondary source of identity for users fromcustomer and partner organisations.. Government databases are used to a limited extent, anopportunity that could be exploited further.. Social media, as pointed out in the introduction,

currently is most likely to be used for consumers butwith huge future potential for all types of user as theage of BYOID dawns. As Figure 4 showed, identifyingand communicating with potential new customers iscurrently a leading use case for social media, but thereis a range of others, including analysis of customer likesand dislikes.


16/37

Of course, this still leaves many organisations with no source of identity for external users, either because they arenot engaging with them effectively through IT or because their current IAM capabilities do not allow them to, whichmay mean they are missing out on potential rich seams of user information to help attract new business.


17/37

The IAM empowered business

The growing diversity of users and theconsequent range of sources of identityunderlines why so many organisations haveseen the need to invest in IAM tools that canlink multiple identity sources and providefederated access based on policy.

Figure 12 shows how respondents rated IAM asa means of enabling various IT managementrequirements. Top of the list was theenforcement of access policy for users; beyondthis it was about improving the user experiencethrough providing self-service and federatedaccess as well as ease of provisioning.

Scalability to cope with unknown numbers of

users was low on the list; for some this may bebecause they do not understand the limitationsof existing directories, or because they do notknow there are tools that can help with this;others may simply take it for granted as they have such tools in place already.The perception of IAM as an enablerfor access to cloud-based applications (software-as-a-service/SaaS) is also low,but the evidence of this research isthat it can be a key enabler for those that are making extensive use of cloud services.

Policy enforcement is generally achieved using advanced single-sign-on (SSO). Once a user is authenticated, allrelevant resources are opened up and their use audited. There is a benefit to customers in doing this; from theearliest stages of interaction each individual can be assigned a unique internalidentifier linked to a range of otherattributes, including their existing social and/or business identities, which, as far as they are concerned, is theirprimary identity.

A new user can be provisioned once via SSO and have immediate access to both on-

premise and cloud-basedresources from any device (dependent on policy). Perhaps more importantly, theiraccess to all resources can be de-provisioned in an instant when the need arises and there are no legacy passwordsheld in cookies etc. on theirdevices.

SSO simplifies things for both the user and the access provider. It is about muc


18/37

h more than a one-time validation ofan identity. An SSO system acts as a hub and, based on the parameters associatedwith a given identity, it cancontrol access to applications and data and enact policies about what a given user or class of users are entitled towith that access. Those actions can also be readily audited. Because such policies can be based on the results ofanalysis of content, it is still possible to deny access to certain classes of information even when documents aremisclassified or stored in the wrong place.

To engage with external users it is often necessary to be able to extend the metadata that describes a user. Whenthis is the case, parameters can be added and used to decide what resources to allow or deny access to and, whereneeded, additional criteria required by different applications associated with agiven identity. Flexibility is importantas these parameters may change over time and new ones may need to be added.

Most recognise that to deploy advanced IAM and to make use of federated services

requires standards (Figure 13).LDAP, a general IAM standard for exchanging identity information between systems, topped the list, being seen as


19/37

essential or useful by 88% of respondents. However, 60% recognised the growing importance of SCIM, a standardfor simplifying identity management in the cloud.

Although IAM has many potential business benefits making it easier to attract new customers, increasing businesswith existing customers, improved user experience and making business processesmore efficient, all of which canprovide an overall competitive edge IT departments seem to be underselling IAM.Many seem more aware of theIT operational benefits than the business ones (Figure 14). Although just underhalf felt it was true that the businessis not interested in our IAM systems, it seems there are board members ready to listen.

Those that have not persuaded their bosses to take an interest may fail to get the go ahead for enhanced or newinvestments. They should learn from the more insightful that are focussed on thebusiness benefits and presenting

these as an opportunity. And there is good news for all; the task of securing investment has been made easier bythe increasing availability of IAM-as-a-service (IAMaaS).


20/37

The emergence of IAM-as-a-service (IAMaaS)

IAM-as-a-service (IAMaaS) is the provision of IAM capabilities on-demand over the internet; many such servicesprovide all the capabilities of an on-premise system with additional benefits unique to IAMaaS, which aresummarised in the next section (Table 2). Provision of IAMaaS may be direct froman IAM vendor or from a serviceprovider using a vendors product. The number of vendors offering IAMaaS has risenin the last 45 years and manymore buyers reviewing options for IAM will now be evaluating IAMaaS.

The recognition of the benefits of IAMaaS is widespread (Figure 15), more so than its actual use, which, as reportedearlier (Figure 6), was 22% for pure IAMaaS deployment and 21% for hybrid use, where IAMaaS is integrated withon-premise IAM. This combination has its own set of benefits, also outlined in t

he next section (Table 3). Thisunderstanding of the benefit of IAMaaS, even by those currently using a purely on-premise system or having nocurrent IAM system, suggests plenty of opportunity for the providers of such services or those considering deployingthem.

Just as with IAM in general, respondents to the current survey were more likelyto recognise the IT rather than thebusiness benefits of IAMaaS, especially the operational cost savings (Figure 16). Many will also like the fact that, as

with most on-demand services, payment is out of operational expenditure (OPEX) rather than requiring upfrontcapital expenditure (CAPEX). There was also widespread recognition that IAMaaS can lead to improved employee


21/37

productivity; for example access to a wide range of resources can be more easilymade to an increasingly mobileworkforce.

All the business benefits of IAM in general making it easier to attract new customers, increasing business withexisting customers, improved user experience and making business processes moreefficient also apply to IAMaaS.Other benefits beyond the cost savings that apply to IAMaaS in particular include the ease of providing access to allusers, especially external ones.

As was pointed out in the introduction (Figure 3), the acceptance of cloud-basedservices in general is nowwidespread. 22% of respondents can be considered to be cloud enthusiasts whilst another 23% can be consideredto be cloud avoiders. Contrasting these two groups and their views on certain issues has proved to be interestingand will be the subject of a forthcoming Quocirca report6; for now, the current

report will look at views on IAM inparticular.

First, respondents were asked about the importance of certain security technologies for providing access to cloud-based services (Figure 17). Even cloud avoiders accept they have to use at leastsome cloud services and see theneed for audit trails and content filtering. Whilst cloud enthusiasts also recognise the same needs, they also widelyacknowledge the benefits of IAM, SSO and linking identity and content through policy. These are all integral

capabilities of most advanced IAM systems. In other words, cloud enthusiasts seeIAM as essential for enabling theiruse of cloud.

Also, as Figure 18 shows, the enthusiasts were far more likely to have deployedIAM, with 97% having something inplace compared to just 26% of avoiders. Not surprisingly, the majority of enthusiasts (65%) are choosing IAMaaSeither as their sole IAM capability or as part of a hybrid system. Of course, cause and effect may be debatable, weuse cloud therefore we need IAM or because we have IAM we can use cloud, but the li

nkage is clear. Cloud-basedservices are going to continue to be seen as an effective way of delivering manyIT services and IAM enables this. Ifyou are using cloud-based services in general, why not use them for IAM too? Whynot IAMaaS?


22/37


23/37

The benefits of IAM

Deployed effectively, IAM benefits both the business and the IT department. IAMis the key to the opening up ofapplications to external users, the exploitation of social media and the adoption of cloud services. The business andoperational benefits are listed in the three tables that follow; first for IAM in general, then IAMaaS in particular andfinally for hybrid deployments.

Table 1: Benefits of advanced identity and access management

BUSINESS BENEFITS

OPERATIONAL BENEFITS

Transacting directly with customers is the number onemotivator for opening up applications to externalusers, with 87% of respondents saying it was a primaryor secondary motivator. Advanced IAM enables

businesses to transact securely and efficiently with awide range of users.

Enabling federated access to existing and newapplications for both external users and employees isseen as one of the top IT management benefits ofadvanced IAM by around 80% of respondents.

Advanced IAM enables business growth and innovationthrough supporting the simple creation of new onlinerevenue streams and increased customer satisfaction.46% of respondents already recognised IAM as essentialto achieving certain business goals.

84% of respondents believe that clearly establishingidentities is essential in ALL cases before commencing atransaction. Advanced IAM enables access to bothcloud-based and on-premise applications to becontrolled via a single identity.

The process of mergers and acquisitions can be easedby the rapid sharing of resources, enabling thefederating of two different directories of users fromeach organisation via IAM.

82% of respondents believe IAM is essential to

achieving IT security goals. Advanced IAM enables therapid provisioning of all types of new users and, asimportant, their immediate and comprehensive de-provisioning when the relationship with a given userends.

User self-service was seen at the number twomanagement benefit of IAM, selected by 81% ofrespondents. Allowing users to reset their ownpasswords and be automatically granted access to new


24/37

applications based on policy is good for user experienceand makes for more efficient IT operations. Thisincreases customer satisfaction and reduces operationalcosts.

The opening up of a wide range of alternative sources ofidentity via the use of open standards is essential toachieving federated IAM. 88% say LDAP is essential oruseful and there is increasing awareness of SCIM, with60% saying it is essential or useful.


25/37

Table 2: Benefits specific to IAM-as-a-service

BUSINESS BENEFITS


58% of businesses already provide direct access forconsumers, business partner users or both to theirapplications. IAMaaS eases the provision of access assuch systems are designed for remote access from thebottom-up.

Lower cost of management was the top benefit citedfor IAMaaS (52% of all respondents). As with any on-demand service, IAMaaS systems do not requireinstallation and configuration, they can be rapidlydeployed and do not require specialist in-house skills.

As it is itself a cloud-based service, IAMaaS, in particular,

enables the easy federation of applications fromdifferent cloud service providers for all types of user,easing the creation of new partnerships. 59% ofrespondents already recognised the benefit of this.

Lower cost of ownership was cited by 50% of allrespondents as a benefit of IAMaaS, which costs less toimplement than an on-premise system due toeconomies of scale (shared infrastructure costs).

As the use of IAMaaS is easily scalable, it can be

expanded or contracted based on needs. For example,if a new consumer service is launched it may take off orflop; either way an under or over investment will nothave been made.

As with most on-demand services, payment is out ofoperational expenditure (OPEX) rather than requiringupfront capital expenditure (CAPEX). Costs aretherefore on a more predictable pay-as-you-growbasis. This allows organisations to experiment with thebenefits of advanced IAM and prove the value withoutmajor upfront investment, often by tackling a fewtactical projects in the early days

Identifying and communicating with potential newcustomers is one of the top reasons for business use ofsocial media. Certain IAMaaS systems have pre-configured links to many social media sites, enablingeasy integration into business processes and thegrowing use of bring-your-own-identity (BYOID).

IAMaaS improves IT productivity with no identityinfrastructure to manage; IT staff are freed up to focus


26/37

on other tasks and innovation.

52% of all respondents saw improved employeeproductivity as a benefit of IAMaaS. It provides easyaccess to a wide range of resources for all employees,including those working remotely.

IAMaaS, like all on-demand software services, providesimmediate access to new features without the need toinstall updates and the down time that can entail.

Table 3: Benefits specific to hybrid on-premise plus IAMaaS

BUSINESS BENEFITS


More sensitive applications can remain internalised,

with access rights restricted to those listed on theinternal directory only, whilst transactionalapplications can be opened up to all via the IAMaaSsystem. This is an aid to the 81% who see IAM asnecessary to achieving IT security goals.

Continued use can be made of existing legacy IAM anddirectory deployments whilst advanced capabilities canbe integrated from an IAMaaS system.

IAMaaS systems are already integrated with many cloudapplications (e.g. Google Apps, Office 365 and WebEx).They are, therefore, ready-to-go for the business

without have to rely on IT to configure or writeinterfaces. Adding IAMaaS to an existing on-premisedeployment adds such capabilities at a click.

Many cloud-based applications also have their owndirectory of users, which can be integrated as part of asingle overall user identity in a federated IAM systemwith access provided via SSO, linked to on-premiseapplications via existing internal IAM.


27/37

Conclusion

Having an IAM system in place is now seen by many businesses as essential to achieving a wide range of IT andbusiness goals. Primary amongst these are the opening up of more and more applications to external users, thegrowing use of cloud-based services and the rise of social media. The ultimate aim is to nurture new businessprocesses, thereby finding and exploiting new opportunities. The number of businesses that have deployed IAM hasincreased dramatically over the last four years.

Those organisations that lack effective IAM are likely to lag behind their competitors in these areas as more andmore business-to-business and business-to-consumer transactions move online, cloud services become themainstream source of IT applications and services for many businesses and socialmedia takes centre stage as asource of identity. IAM has moved from a security tool to become a business enabler.

The availability of IAMaaS has brought access to enterprise IAM capabilities within reach of smaller organisationsand, for larger organisations with legacy IAM and directory systems, IAMaaS canprovide them with the agility toembrace all these opportunities through integrating them into a hybrid system. This has led to a rapid growth in theuse of IAMaaS either as the sole way a business deploys IAM or as part of an on-premise/on-demand hybriddeployment.

However identity management is achieved, the majority of businesses now see it as essential. The statement madeat the start of this report, that identity is the new perimeter, is already a reality and will become more so as IT usersand applications disperse ever more and traditional IT security boundaries lookmore and more dated.


28/37

Appendix 1 country level data

Certain observations regarding the variation between organisations in differentindustry sectors have been madethroughout the report. Some comment has also been made on the variations betweenorganisations of differentsizes, especially with reference to the deployment of IAM. These observations are made across all 337 surveys.Appendix 1 shows some of the variations between countries, although it should bepointed out that for somecountries the samples are too small for significant conclusions to be drawn (seeAppendix 2, Figure 31).

Open up applications, attitude to cloud and adoption of social media

Organisations in the Nordic and Benelux regions were more likely to be opening up their applications to consumersthan those from further south; Iberia and Italy (Figure 19). However, a strong motivator for all to do so was to

transact directly with customers (Figure 20). Conversely, Italian and Iberian organisations were the least likely to becloud avoiders (Figure 21), so all have good reason to look at IAM, albeit withthe reasons for doing so varying. TheNordics are leading the way with use of social media for identifying and communicating with potential customers(Figure 22), which ties in well with their enthusiasm for opening up applications to consumers.


29/37

Deployment and use of IAM

The Nordics may find it easier to embrace open applications and social media ifmore of them put IAM systems inplace; they were some of the least likely to have done so. Overall, Iberian organisations were the most likely to havedone so and the most likely to have deployed IAM-as-a-service (Figure 23). UK-based organisations are hot onstrong authentication, with those in the Benelux region taking little interest (Figure 24).

Italians were the least likely to see IAM an important for providing federated access to external users, whilst, in linewith other findings, Nordics were keen. However, Italians were the most likely to extol the virtues of IAM forsimplifying access to SaaS-delivered applications (Figure 25). The need for scalability of IAM for unknown numbersof users was most recognised amongst the countries with the largest populations(Figure 26), which makes sense,whilst only in the Nordics and Israel did the majority think IAM was very important for access policy

management/enforcement although most saw it as at least fairly important.


30/37

Benefits of IAMaaS

Italians and Iberians were the most optimistic that the business was interestedin their IAM systems (Figure 27) andin all areas but the UK the majority felt there were benefits to be had from IAMaaS (Figure 28). When it came to thebenefits of IAMaaS, those from the Benelux region were again focussed on integrating external users, whilst Italianswere the most interested in saving a bit of money, although this was important to all (Figure 29).

Benelux, Israeli, Nordic and UK based organisations were the most likely to recognise the power of IAMaaS to openup new revenue streams, whilst the French and Italians were focussed on new business processes. The Iberians tooklittle or no interest in either of these issues (Figure 30). That said, awareness of these business benefits needs toincrease across the board to bring them more in line with the operational IT benefits.


31/37

Appendix 2 demographics

The following figures show the distribution of the research respondents by country, size, sector and job role:


32/37

Appendix 3 references

1 Privileged user Management Quocirca 2009

http://www.quocirca.com/reports/430/privileged-user-management--its-time-to-take-control

2 The identity perimeter Quocirca 2012

http://www.quocirca.com/reports/791/the-identity-perimeter

3 UK Cabinet Office web site

http://www.cabinetoffice.gov.uk/resource-library/identity-assurance-enabling-trusted-transactions

4 - Social media continues to rise in popularity among high street banks VirginMedia study

http://www.virginmediabusiness.co.uk/News-and-events/News/News-archives/2012/Social-media-continues-to-rise-in-popularity-among-high-street-banks/

5 Quocirca The data sharing paradox 2011

http://www.quocirca.com/reports/620/the-data-sharing-paradox

6 Forthcoming cloud report 2013

Quocirca will be publishing a follow-on report on the use of cloud-based services


33/37


34/37

C:\Users\Bob\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GRCSXTGE\CA_r_Primary_RGB_web_395x352.pngAbout CA Technologies

CA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage and secure complexIT environments to support agile business services. Organisations leverage CA Technologies software and SaaSsolutions to accelerate innovation, transform infrastructure and secure data andidentities, from the data center tothe cloud.

IT Security solutions from CA Technologies can help you enable and protect yourbusiness, while leveraging keytechnologies such as cloud, mobile, and virtualisation securely to provide the agility that you need to respondquickly to market and competitive events. Our identity and access management (IAM) solutions can help youenhance the security of your information systems so that you can improve customer loyalty and growth, whileprotecting your critical applications and data, whether located on-premise or inthe cloud. With more than 3,000security customers and over 30 years experience in security management, CA offers

pragmatic solutions that helpreduce security risks, enable greater efficiencies and cost savings, and supportdelivering quick business value.

CA CloudMinderTM provides enterprise-grade identity and access management capabilities as a hosted cloud servicesupporting both on-premise and cloud-based applications. Deployed as a service,CA CloudMinder drivesoperational efficiencies and cost efficiencies through speed of deployment, predictability of expense and reducedinfrastructure and management needs.

www.ca.com/mindyourcloud


35/37

Description: Description: Description: Description: Description: Description: 5%REPORT NOTE:

This report has been writtenindependently by Quocirca Ltdto provide an overview of theissues facing organisationswith regard to IAM.

The report draws on Quocircasresearch and knowledge of thetechnology and businessarenas, and provides advice onthe approach that organisationsshould take to create a moreeffective and efficientenvironment for future growth.

About Quocirca

Quocirca is a primary research and analysis company specialising in thebusiness impact of information technology and communications (ITC).With world-wide, native language reach, Quocirca provides in-depthinsights into the views of buyers and influencers in large, mid-sized and

small organisations. Its analyst team is made up of real-worldpractitioners with first-hand experience of ITC delivery who continuouslyresearch and track the industry and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles totechnology adoption the personal and political aspects of anorganisations environment and the pressures of the need fordemonstrable business value in any implementation. This capability touncover and report back on the end-user perceptions in the marketenables Quocirca to provide advice on the realities of technologyadoption, not the promises.

Quocirca research is always pragmatic, business orientated andconducted in the context of the bigger picture. ITC has the ability to transformbusinesses and the processes thatdrive them, but often fails to do so. Quocircas mission is to help organisationsimprove their success rate in processenablement through better levels of understanding and the adoption of the correct technologies at the correct


36/37

time.

Quocirca has a pro-active primary research programme, regularly surveying users,purchasers and resellers of ITCproducts and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture oflong term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise thatITC holds for business. Quocircas clients include Oracle, IBM, CA, O2, T-Mobile,HP, Xerox, Ricoh and Symantec,along with other large and medium sized vendors, service providers and more specialist firms.

Details of Quocircas work and the services it offers can be found at http://www.quocirca.com

Disclaimer:

This report has been written independently by Quocirca Ltd. During the preparation of this report, Quocirca mayhave used a number of sources for the information and views provided. Although Quocirca has attempted whereverpossible to validate the information received from each vendor, Quocirca cannotbe held responsible for any errorsin information received in this manner.

Although Quocirca has taken what steps it can to ensure that the information provided in this report is true andreflects real market conditions, Quocirca cannot take any responsibility for theultimate reliability of the detailspresented. Therefore, Quocirca expressly disclaims all warranties and claims asto the validity of the data presentedhere, including any and all consequential losses incurred by any organisation orindividual taking any action basedon such data and advice.

All brand and product names are recognised and acknowledged as trademarks or service marks of their respectiveholders.


37/37

Documents

Wp Sec Quocirca Digital Identities